Controllerless Networks

Reply
New Contributor

IAP with local EAP-TLS, not seeing Terminated-option

Hi,

 

I'm trying to configure client certificate authentication with IAP only, as we don't have (and not going to have) RADIUS-server. 

 

We have +20 APs, IAP-315 running 6.5.4.7 firmware.

 

First problem: There's no Termination option in security settings. Per user guide and this https://www.arubanetworks.com/techdocs/Instant_40_Mobile/Advanced/Content/MCGeneratedPopups/Popup_-2140548310.htm it should be there.

Snip20180705_1.png

 

Second problem: when trying to upload certificate, it gives an error saying "The file xyz.pem was not uploaded because it is not a properly formatted certificate file."

It looks like this: 
-----BEGIN CERTIFICATE-----
MIIDtTCCAp2gAwIBAgIJAKXYlS8PLR6ZMA0GCSqGSIb3DQEBCwUAMEUxCzAJBgNV
. . . LINES . . . .
wnzNiNncyuHoya1ko8F/0hK0y/PaXriLSC/rmSG71X+P5yZji9wx0xc=
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEA3SH70yCOJusRaLJ1rRm2Qd/xOHbnHvt5ZUnRUqqijn45CJYL
. . . LINES . . . .
axvp9SaUE1Q4pKPwoX7fjnm++NvNZudki5OAKLHWUJYrjKwtGXldeA==
-----END RSA PRIVATE KEY-----

 

I've read a lot of topics from this forum and tried this and that, but can't get it working. 

Atleast this is similar situation than mine.

 

Any help appreciated :) 

Re: IAP with local EAP-TLS, not seeing Terminated-option

The internal server always uses EAP Termination, you can check and if you select an external server the option is displayed, for internal server it is left out as there is no other option.

 

Also, from the user guide:

Supported EAP Authentication Frameworks

The following EAP authentication frameworks are supported in the Instant network:

EAP-TLS—The EAP-TLS method supports the termination of EAP-TLS security using the internal RADIUS server. The EAP-TLS requires both server and CA certificates installed on the Instant AP. The client certificate is verified on the virtual controller (the client certificate must be signed by a known CA) before the username is verified on the authentication server.

(removed other options)

To use the Instant AP’s internal database for user authentication, add the usernames and passwords of the users to be authenticated.

 

For the certificate import, make sure you select the right type (Authentication Server). Concatenating the key and certs like you did should work fine. It might be that a message is logged in the AP system (or security) log that tells why the certificate wasn't imported.

--
If you have urgent issues, please contact your Aruba partner or Aruba TAC (click for contact details).
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: